Hi, I have shorewall configured on my gateway to limit incoming http traffic, and it didn''t work until I configured the marking in the POSTROUTING. Here is the config I had (which didn''t work): In shorewall.conf: MARK_IN_FORWARD_CHAIN=No In tcrules: # Mark http with mark 8 8 0.0.0.0/0 0.0.0.0/0 tcp http - 8 0.0.0.0/0 0.0.0.0/0 tcp - http In tcclasses: $IF_LOC 8 256kbit 256kbit 7 $IF_LOC 9 100kbit full 9 default With this, the default rule is applied. I need to have these rules in tcrules to make it work: 8:P 0.0.0.0/0 0.0.0.0/0 tcp http - 8:P 0.0.0.0/0 0.0.0.0/0 tcp - http I thought it would have worked with the mark set in PREROUTING. Am I missing something obvious here? (if you have pointers to good doc, feel free to share!) Moreover, this config gave satisfactory results with shorewall 3, but broke with shorewall 4 (upgrade of Debian which switch from shorewal 3 to 4). Did something change between both versions, or is it another element like iptables that has another behaviour? Thanks in advance Raph ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/